Re: pgadmin and keycloak

Hi,

I am not able to reproduce the issue. I have tried with SSL and Non-SSL
enabled Keycloak.
Can you please add lines below in config_local.py -

import logging
FILE_LOG_LEVEL = logging.DEBUG
CONSOLE_LOG_LEVEL = logging.DEBUG

And get the pgadmin logs?

Also can you please share OS details and the pgadmin version?

Thanks,
Yogesh Mahajan
EnterpriseDB

On Tue, Jan 2, 2024 at 12:49 PM Jose M Barreiro <jmbarreiro(at)gmail(dot)com>
wrote:

> Hi Yogesh,
>
> Thank you for your support. I have several problems with pgadmin and
> keycloak. For example,
>
> if I use OAUTH2_SERVER_METADATA_URL, I received this error ""403
> Client Error: Forbidden for url:
> http://keycloak.xxx.xxxx:8080/realms/iam/.well-known/openid-configuration
> ""
>
> I I used your example, I received this error "
>
>
> {"success":0,"errormsg":"'OAUTH2_API_BASE_URL'","info":"","result":null,"data":null}
>
> If I use this configuration
> >
> > OAUTH2_CONFIG = [
> > {
> > 'OAUTH2_NAME': 'keycloak',
> > 'OAUTH2_DISPLAY_NAME': 'KEYCLOAK',
> > 'OAUTH2_CLIENT_ID': 'pgadmin',
> > 'OAUTH2_CLIENT_SECRET': 'xxxx',
> > 'OAUTH2_TOKEN_URL': '
> http://keycloak.xxx.xxx:8080/realms/iam/protocol/openid-connect/token',
> > 'OAUTH2_AUTHORIZATION_URL': '
> http://keycloak.xxx.xxx:8080/realms/iam/protocol/openid-connect/auth',
> > 'OAUTH2_USERINFO_ENDPOINT': '
> http://keycloak.xxx.xxx:8080/realms/iam/protocol/openid-connect/userinfo',
> > 'OAUTH2_API_BASE_URL': 'http://keycloak.xxx.xxx:8080/realms/iam',
> > 'OAUTH2_ICON': 'fa-google',
> > 'OAUTH2_BUTTON_COLOR': '#0000ff',
> > 'OAUTH2_SCOPE': 'openid',
> > 'OAUTH2_SSL_CERT_VERIFICATION': 'False',
> > 'OAUTH2_ADDITIONAL_CLAIMS': {
> > 'groups': ["administrators"],
> > }
> > }
> > ]
>
> I receive this error
>
> {"success":0,"errormsg":"Expecting value: line 1 column 1 (char
> 0)","info":"","result":null,"data":null}
>
> In the logs you can see
> >
> > 10.248.227.10 - - [02/Jan/2024:07:16:47 +0000] "POST /authenticate/login
> HTTP/1.1" 302 791 "https://pgadmin4.apps.xxxx.xxxx.dplt/login?next=%2F"
> "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:120.0) Gecko/20100101
> Firefox/120.0"
> >
> > 2024-01-02 07:16:48,400: ERROR pgadmin: Expecting value: line 1 column 1
> (char 0)
> > Traceback (most recent call last):
> > File "/venv/lib/python3.11/site-packages/requests/models.py", line
> 971, in json
> > return complexjson.loads(self.text, **kwargs)
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > File "/usr/lib/python3.11/json/__init__.py", line 346, in loads
> > return _default_decoder.decode(s)
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^
> > File "/usr/lib/python3.11/json/decoder.py", line 337, in decode
> > obj, end = self.raw_decode(s, idx=_w(s, 0).end())
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > File "/usr/lib/python3.11/json/decoder.py", line 355, in raw_decode
> > raise JSONDecodeError("Expecting value", s, err.value) from None
> > json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)
> > During handling of the above exception, another exception occurred:
>
>
> Traceback (most recent call last):
> File "/venv/lib/python3.11/site-packages/flask/app.py", line 1484,
> in full_dispatch_request
> rv = self.dispatch_request()
> ^^^^^^^^^^^^^^^^^^^^^^^
> File "/venv/lib/python3.11/site-packages/flask/app.py", line 1469,
> in dispatch_request
> return
> self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> File "/pgadmin4/pgadmin/authenticate/oauth2.py", line 56, in
> oauth_authorize
> status, msg = auth_obj.login()
> ^^^^^^^^^^^^^^^^
> File "/pgadmin4/pgadmin/authenticate/__init__.py", line 301, in login
> status, msg = self.source.login(self.form)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> File "/pgadmin4/pgadmin/authenticate/oauth2.py", line 126, in login
> profile = self.get_user_profile()
> ^^^^^^^^^^^^^^^^^^^^^^^
> File "/pgadmin4/pgadmin/authenticate/oauth2.py", line 201, in
> get_user_profile
> self.oauth2_current_client].authorize_access_token()
> ^^^^^^^^^^^^^^^^^^^^^^^^
> File
> "/venv/lib/python3.11/site-packages/authlib/integrations/flask_client/apps.py",
> line 101, in authorize_access_token
> token = self.fetch_access_token(**params, **kwargs)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> File
> "/venv/lib/python3.11/site-packages/authlib/integrations/base_client/sync_app.py",
> line 342, in fetch_access_token
> token = client.fetch_token(token_endpoint, **params)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> File "/venv/lib/python3.11/site-packages/authlib/oauth2/client.py",
> line 207, in fetch_token
> return self._fetch_token(
> ^^^^^^^^^^^^^^^^^^
> File "/venv/lib/python3.11/site-packages/authlib/oauth2/client.py",
> line 364, in _fetch_token
> return self.parse_response_token(resp)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> File "/venv/lib/python3.11/site-packages/authlib/oauth2/client.py",
> line 338, in parse_response_token
> token = resp.json()
> ^^^^^^^^^^^
> File "/venv/lib/python3.11/site-packages/requests/models.py", line
> 975, in json
> raise RequestsJSONDecodeError(e.msg, e.doc, e.pos)
> requests.exceptions.JSONDecodeError: Expecting value: line 1 column 1
> (char 0)
> 10.248.227.10 - - [02/Jan/2024:07:16:48 +0000] "GET
>
> /oauth2/authorize?state=zhsCc9Nspt61zaWitYqfT61JoHiHer&session_state=4d4bdc0d-3901-4d13-af89-d1646a3115b3&iss=http%3A%2F%2Fkeycloak.xxxx.xxxx%3A8080%2Frealms%2Fiam&code=dd98dd4a-bd20-49aa-861d-39f5d5af1795.4d4bdc0d-3901-4d13-af89-d1646a3115b3.ec389ead-d683-4f45-a63a-d93f0814efaf
> HTTP/1.1" 500 104 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64;
> rv:120.0) Gecko/20100101 Firefox/120.0"
>
> Thanks for your support,
>
> Best regards,
> Jose
>
>
> On Tue, Jan 2, 2024 at 5:41 AM Yogesh Mahajan
> <yogesh(dot)mahajan(at)enterprisedb(dot)com> wrote:
> >
> > Hi Jose,
> >
> > pgAdmin 4 supports keycloak for authentication. Is there any
> error/difficulty while configuration?
> > Here is typical configuration for keycloak provider -
> >
> > AUTHENTICATION_SOURCES = ['internal','oauth2']
> > OAUTH2_CONFIG = [
> >
> > { 'OAUTH2_NAME': 'keycloak',
> > 'OAUTH2_DISPLAY_NAME': 'Login with Keycloak',
> > 'OAUTH2_CLIENT_ID': '<keycloak client id>',
> > 'OAUTH2_CLIENT_SECRET': '<client secret>',
> > 'OAUTH2_TOKEN_URL': 'https://<keycloak server
> ip:port>/realms/<realm_name>/protocol/openid-connect/token',
> > 'OAUTH2_AUTHORIZATION_URL': 'https://<keycloak server
> ip:port>/realms/<realm_name>/protocol/openid-connect/auth',
> >
> > 'OAUTH2_API_BASE_URL': None,
> > 'OAUTH2_USERINFO_ENDPOINT': 'https://<keycloak server
> ip:port>/realms/<realm_name>/protocol/openid-connect/userinfo',
> > 'OAUTH2_SCOPE': 'openid',
> > 'OAUTH2_USERNAME_CLAIM': None,
> > 'OAUTH2_ICON': None,
> > 'OAUTH2_BUTTON_COLOR': None,
> > 'OAUTH2_SERVER_METADATA_URL': 'https://<keycloak server
> ip:port>//realms/<realm_name>/.well-known/openid-configuration',
> > 'OAUTH2_SSL_CERT_VERIFICATION': False
> > }]
> >
> >
> >
> > Thanks,
> > Yogesh Mahajan
> > EnterpriseDB
> >
> >
> > On Mon, Jan 1, 2024 at 10:05 PM Jose M Barreiro <jmbarreiro(at)gmail(dot)com>
> wrote:
> >>
> >> Hi,
> >>
> >> First of all, Happy New Year!!!!
> >>
> >> I have a problem with pgadmin and keycloak. We need to change our IDP,
> actually we are using okta and pgadmin is working fine with it.
> >>
> >> We need to configure pgadmin to use keycloak but it's not possible to
> configure pgadmin to work with keycloak.
> >>
> >> Can you help us to understand the reason?
> >>
> >> Best regards,
> >> Jose
> >>
>